US20110066859A1 - Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads - Google Patents
Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads Download PDFInfo
- Publication number
- US20110066859A1 US20110066859A1 US12/561,013 US56101309A US2011066859A1 US 20110066859 A1 US20110066859 A1 US 20110066859A1 US 56101309 A US56101309 A US 56101309A US 2011066859 A1 US2011066859 A1 US 2011066859A1
- Authority
- US
- United States
- Prior art keywords
- signature
- key
- message
- private key
- hash function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- This invention relates to a one-time signature authentication scheme for wireless communications and, more particularly, to a flexible authentication scheme for authenticating messages sent wirelessly between vehicles that is a combination of a Winternitz one-time signature scheme and a hash to obtain random subset one-time signature scheme that provides a trade-off between communication and computational overhead.
- V2V wireless communications have been proposed for improved automobile safety. Under these applications, vehicles broadcast information over the wireless medium to one another. V2V applications aim to assist drivers in avoiding accidents by providing early warnings and advisories about potentially dangerous situations using the messages exchanged over the wireless medium.
- Vehicle-to-vehicle safety applications such as blind spot warning (BSW) systems and cooperative collision warning (CCW) systems, rely on periodic V2V communications, such as the wireless dedicated short range communications (DSRC) standard.
- the advisories include road condition notification, co-operative collision warning, and so on. Security is critical in V2V driver assistance applications since drivers of vehicles are expected to make driving maneuvers based on the advisories they receive.
- the wireless messages are typically transmitted at 10 Hz per vehicle, and are typically authenticated using digital signatures based on an underlying public key infrastructure (PKI) in accordance with the IEEE 1609.2 standard specification.
- PKI public key infrastructure
- Each principal in a PKI system has a pair of keys, namely a private key and a public key.
- the private key is known only to the principal and the public key can be shared with other entities in the system.
- M the message that is to be secured using the keys.
- the sender of the message signs the message with his private key, and adds the signature to the message.
- the recipient can verify the signature of the message using the sender's public key.
- the various broadcast authentication techniques have a much wider application.
- the various broadcast authentication techniques discussed herein apply to communication networks where nodes broadcast information to one another in an authentic manner.
- every node is a sender and a receiver.
- a given node would broadcast its packets to multiple nodes, and it may also receive packets from multiple, and possibly different, nodes.
- V2V driver assistance applications amounts to ensuring authenticity and integrity of the messages transmitted over the air. In other words, security in the sense of broadcast authentication.
- the challenges include (i) resource constrained computing platforms, (ii) real-time latency requirements on the V2V messages, (iii) scarce communication bandwidth, and (iv) possibly rapid changes in the network topology.
- Such demands require the various algorithms to achieve security to impose minimal computations and communication overheads.
- the nodes would typically use an authentication protocol to achieve broadcast authenticity of the messages.
- An authentication protocol between a sender and a receiver enables the sender to send information to the receiver in an authentic manner.
- the authentication protocol used in the broadcast networks being discussed includes three steps, namely, key generation and public key distribution, signature generation and signature verification.
- key generation and public key distribution the sender executes a key generation algorithm for the authentication protocol and creates the public key, the private key and other variables. The sender then disseminates the public key to the receivers.
- signature generation when the sender needs to send an authentic message, the sender creates the message and populates it with the appropriate information, and then uses a signature generation algorithm for the authentication protocol.
- digital signature algorithms one public-private key pair can be used to sign a theoretically unlimited number of messages.
- one public-private key pair can be used to sign only one message.
- the signature generation algorithm generally uses the hash-and-sign paradigm. This means that the message is first hashed into a constant length string of bits. The hashed version, also called the message digest, is then signed using the signature generation algorithm.
- a receiver For signature verification, when a receiver needs to verify the authenticity of a received message, it needs to have in its possession the public key corresponding to the private key that signed the message. Assuming that the receiver does not have the public key, it uses the signature verification algorithm for the authentication protocol. The verification algorithm also first hashes the message to derive the message digest, which is then subject to further verification steps.
- ECDSA is a digital signature algorithm that can be used to sign a theoretically unlimited number of messages with a given public-private key pair. It is very bandwidth efficient since it has a small public key size and signature size. However, it is extremely computational intensive. A single hash operation, which is the building block of one-time signature algorithms, is four-five orders of magnitude quicker to execute on a generic processor as compared to an ECDSA signature generation or verification. For specialized hardware, the difference may even be higher.
- HORS random subset
- the known Winternitz one-time signature scheme can only be used to sign one message for a given public-private key pair. It is designed to be bandwidth efficient, and its signature size is moderate and its public key size is smaller than even ECDSA. Further, its computational overhead is still one-two orders of magnitude smaller than that of ECDSA.
- OTS schemes are typically constructed using the basic building blocks of a one-way hash function.
- One-way hash functions are functions that are easy to compute, but computationally infeasible to invert.
- the security of the OTS scheme depends on the security of the underlying one-way hash function.
- OTS schemes are constructed using the following general methodology.
- a set of private values (often known as seals) is selected randomly. This serves as the private key.
- a set of public keys (often known as verifiers) is them computed by applying a one-way hash function on the private keys.
- the set of public keys is transmitted authentically to all receivers. When signing a message, the message is mapped to a subset of private key values, and that subset is released as a signature.
- the one-way hash function that is used in the OTS scheme is public.
- the receiver performs a sequence of one-way hash function computations that would transform the released signature values into some of the public key values which were authentically communicated earlier.
- the security of the signature lies in the fact that to forge a signature, the attacker has to perform at least one inversion of the underlying one-way hash function.
- a flexible authentication scheme is disclosed that is a combination of a Winternitz one-time signature scheme and a hash to obtain random subset one-time signature scheme to provide consideration for communication and computational overhead.
- the flexible authentication scheme provides a matrix that includes rows of private key values and columns of private key values.
- the scheme performs a key pair generation process that provides a key pair including a private key and a public key for each row in the matrix, where the private key is a set of private key values for that row.
- Performing the key pair generation process includes applying a plurality of hash functions to the private key values, where a succeeding hash function provides a hash of the previous hash function.
- the scheme uses a signature generation algorithm that first computes a message digest by applying a hash function on the message to be signed, and then separates the message digest into two parts including signing bits and selection bits.
- the selection bits select which rows in the matrix are used to sign the message and the signing bits are signed by a signing algorithm using the private key values from the selected row.
- a receiver verifies the authenticity of the received message using the public key and a signature verification algorithm.
- FIG. 1 is a plan view of a vehicle including a vehicle-to-vehicle communications system
- FIG. 2 is a plan view of a Winternitz one-time signature scheme for authenticating messages
- FIG. 3 is a plan view of an HORS one-time signature scheme for authenticating messages
- FIG. 4 is a matrix of private key values
- FIG. 5 is a plan view of a first flexible authentication scheme for authenticating wireless messages that uses the private key values shown in FIG. 4 and is a combination of the schemes shown in FIGS. 2 and 3 , where every row of FIG. 4 , a corresponding scheme of FIG. 5 can be obtained;
- FIG. 6 is a plan view of a second flexible authentication scheme that is a combination of the schemes shown in FIGS. 2 and 3 .
- OTS schemes are an alternative to conventional digital signatures to provide broadcast authentication in V2V systems.
- OTS schemes published in the literature namely, the Winternitz and HORS OTS schemes, provide a tradeoff between communication and computational overhead, which is unsatisfactory since a linear reduction of one overhead requires tolerating an exponential increase in the other one.
- Two flexible authentication schemes are proposed below that provide a better tradeoff between these two overheads, specifically providing an exponential reduction of one of the overheads in return for an exponential increase in the other.
- FIG. 1 illustrates a plan view of a vehicle 10 including an on-board unit (OBU) 12 for a V2X wireless communications system.
- the OBU 12 receives location information from a GPS receiver 14 , and is able to communicate with other OBUs on other vehicles within a limited range.
- the vehicle 10 also includes various types of vehicle sensors 16 , such as cameras, accelerometers, temperature sensors, etc., that provide information to the OBU 12 .
- the vehicle sensor information can be used by the OBU 12 to notify other vehicles of various road and other conditions, such as ice, oil spills, etc.
- FIG. 2 is a plan view of a known Winternitz OTS scheme 20 .
- the scheme 20 includes a series of private key values 22 represented here as s 0 , s 1 , . . . , s 1 , - - - , s n .
- the set of private key values 22 is a private key S.
- a series of hash functions 24 , 26 and 28 are applied to the private key values 22 , shown here as hash function H, hash function H p and hash function H 2 , respectively, that are provided according to some predetermined and predefined rules.
- v is a public key V that has previously been disseminated to the vehicles.
- each of the private key values 22 are hashed H 2 k times.
- Algorithm 1 is a key generation and public key distribution algorithm for the authentication protocol that shows how the private and public key pair S and V is generated for the private key S and the public key V using the hash functions shown in FIG. 2 , where S is the set of private key values 22 and v is the verifier 30 .
- Algorithm 2 is a signature generation algorithm for the authentication protocol that shows how the Winternitz OTS scheme provides signature generation using the hashed version or message digest.
- Algorithm 3 is a signature verification algorithm for the authentication protocol that shows how the receiving vehicle provides signature verification of the signature on the message M after it has the signature ⁇ M and the verifier v using the hash functions H.
- FIG. 3 is a plan view of a known HORS OTS scheme 40 for providing message verification.
- the scheme 40 includes a series of private key values 42 , represented as s 0 , . . . , s m , . . . , s 2 j+1 , and a row of hash functions 44 , represented as H, for each private key value 42 .
- the hash functions 44 generate a series of public key values 46 , represented as verifiers v.
- the set of private key values 42 is the private key S and the set of public key values 46 is the public key V.
- Algorithm 4 is a generation and public key distribution algorithm for the authentication protocol that shows how the private and public key pair S and V is generated for the private key S and the public key V using the hash function H.
- Algorithm 5 is a signature generation algorithm for the authentication protocol that shows how the HORS OTS scheme provides signature generation using the hash version or message digest.
- Algorithm 6 is a signature verification algorithm for the authentication protocol that shows how the receiving vehicle provides signature verification of the signature on the message M after it has the signature ⁇ M and the public key V using the hash function H.
- the Winternitz OTS scheme employs a signature verification using a relatively few number of private key values 22 , but a large number of hash functions 24 , 26 and 28
- the HORS OTS scheme employs a signature verification using a relatively large number of private key values 42 , but a single hash function 44 .
- the communication and computational overhead associated with the Winternitz OTS scheme and the HORS OTS scheme are shown in Table 1 below.
- the communication overhead is the additional number of bits b that need to be transmitted for every message M that is secured using the OTS scheme. For every message M to be signed, the corresponding public key V has to be distributed ahead of time, and the signature ⁇ has to be appended to the message M. Thus, the communication overhead is the sum of the public key size (in bits) and the signature size (in bits).
- the computational overhead is the number of hash function computations required to verify the OTS.
- the security level is the hardness of breaking the OTS in terms of the key length (in bits) of an equally hard symmetric key cipher.
- the following discussion describes two flexible authentication schemes, namely FAS-I and FAS-II, that employ a combination of the Winternitz OTS scheme and the HORS OTS scheme discussed above.
- the flexible authentication schemes provide a tradeoff between the communication and computational overheads.
- the Winternitz OTS scheme the amount of public information that needs to be disseminated and the number of private key values that need to be stored is low, but the computational power that is required for the several layers of the hash functions is high.
- the HORS OTS scheme the amount of public information that needs to be disseminated and the number of private key values that need to be stored is high, but the computational overhead is low.
- the level of security that is desired would depend on how much hashing is done in the Winternitz scheme and how many private key values and verifiers are needed in the HORS OTS scheme.
- L nk
- the communication overhead is linear in l
- the computational overhead is exponential in k.
- an exponential increase in the computational overhead would have to be tolerated in order to gain a linear decrease in the communication overhead.
- FIG. 4 is a matrix 50 of random private key values 52 , or seals, chosen to form the private key S. Particularly, each row in the matrix 50 represents a series of private key values for a Winternitz OTS scheme and each column in the matrix 50 represents a series of private key values for a HORS OTS scheme.
- FIG. 5 is a plan view of the FAS-I OTS scheme that includes a series of private key values 62 , represented as s m 0 , s m 1 , . . . , s m l , . . . , s m n 1 for the third row of private key values 52 shown in FIG. 4 .
- a separate OTS scheme would be provided for each row of the private key values 52 for the matrix 50 .
- the OTS scheme 60 provides three hash functions 64 , 66 and 68 , represented as H, H P and H 2 k , where the hash function 68 for all of the private key values 62 that have been hashed by the hash functions 64 and 66 are concatenated into a verifier 70 , represented as v m .
- each row in the matrix 50 provides a separate verifier b m .
- a Winternitz key pair generation algorithm is run to generate the public key V for that row.
- the set of private key values 52 from each row constitutes the private keys S.
- To sign a message M the hashed version of the message M is broken into two parts, namely signing bits and selection bits. The selection bits select which rows will be used to sign the message M and the signing bits are signed by the Winternitz signing algorithm using the values from that row.
- Algorithm 7 below is a key generation and public key distribution algorithm for the authentication protocol that shows how the FAS-I OTS scheme generates the key pair S and V, including generation of the matrix 50 .
- Algorithm 8 below is a signature generation algorithm for the authentication protocol that shows how the FAS-I OTS scheme provides the signature generation using the hash version or message digest.
- Algorithm 9 below is a signature verification algorithm for the authentication protocol that shows how the FAS-I OTS scheme provides signature verification in the receiving vehicle.
- FIG. 6 is a plan view of an FAS-II OTS scheme 80 including a set of private key values 82 , represented as s c , s 0 , . . . , s m , . . . , s 2 j ⁇ 1 and a series of hash functions 84 , 86 and 88 , represented as H, H P and H 2 k , respectively, where the results of the hash function 88 is a series of verifiers 90 , represented as b c , b 0 , b n and b 2 j ⁇ 1 .
- a first set of random seals are chosen as the private key values 82 and a Winternitz like hash chains are built.
- the public key V consists of the final values of all the hash chains rather than the hash of their concatenation.
- the hashed version of the message M is broken into two parts, namely signing bits and selection bits.
- the selection bits select which of the private key values 82 will be used for signing and the signing bits are signed by an analogous process to the Winternitz signing algorithm.
- Algorithm 10 is a key generation and public key distribution algorithm for the authentication protocol that shows a process for generating the private and public key pair S and V in the FAS-II OTS scheme.
- Algorithm 11 is a signature generation algorithm for the authentication protocol that shows a process for the signature generation for the FAS-II OTS scheme using the hash version or message digest.
- Algorithm 12 is a signature verification algorithm for the authentication protocol that shows a process of how the signatures are verified in the receiver for the FAS-II OTS scheme.
- the overhead associated with the FAS-I and FAS-II OTS schemes are shown in Table 2 below.
- the communication cost is given in terms of the number of bits.
- the computational cost is the verification time, and is given in terms of the number of hash operations required.
- the security level is given in number of bits. The security analysis used to derive the entries in the table is given below.
- the security analysis of the FAS-I and FAS-II OTS schemes is analogous to that of the HORS OTS scheme.
- the OTS scheme interest is in the probability that, after applying the hash unction H on a single message M, the advisory is able to forge a signature on the message M without inverting the one-way hash function H.
- the hash of the message M to be signed is broken up into ‘n’ j-bit words, which are used for selecting n out of 2 j rows and k-bit words, which are used to create a Winternitz OTS scheme on each of the n chosen rows.
- n j-bit words
- k-bit words which are used to create a Winternitz OTS scheme on each of the n chosen rows.
- the hash of the message M is broken up into ‘n’ words of length k+j. For each word, the last j bits are used to select a column. Thus, n columns are selected, and then the former k bits of all the n words are signed using the Winternitz signing algorithm.
- a signature would require the attacker to find another message M′ that hashes to m′ such that when broken up into ‘n’ words of length k+j, it would be a permutation of a subset of the ‘n’ words of length k+j of m.
- the probability of this event (again, assuming that H is random oracle) is a
Abstract
Description
- 1. Field of the Invention
- This invention relates to a one-time signature authentication scheme for wireless communications and, more particularly, to a flexible authentication scheme for authenticating messages sent wirelessly between vehicles that is a combination of a Winternitz one-time signature scheme and a hash to obtain random subset one-time signature scheme that provides a trade-off between communication and computational overhead.
- 2. Discussion of the Related Art
- Vehicle-to-vehicle (V2V) wireless communications have been proposed for improved automobile safety. Under these applications, vehicles broadcast information over the wireless medium to one another. V2V applications aim to assist drivers in avoiding accidents by providing early warnings and advisories about potentially dangerous situations using the messages exchanged over the wireless medium. Vehicle-to-vehicle safety applications, such as blind spot warning (BSW) systems and cooperative collision warning (CCW) systems, rely on periodic V2V communications, such as the wireless dedicated short range communications (DSRC) standard. The advisories include road condition notification, co-operative collision warning, and so on. Security is critical in V2V driver assistance applications since drivers of vehicles are expected to make driving maneuvers based on the advisories they receive.
- The wireless messages are typically transmitted at 10 Hz per vehicle, and are typically authenticated using digital signatures based on an underlying public key infrastructure (PKI) in accordance with the IEEE 1609.2 standard specification. Each principal in a PKI system has a pair of keys, namely a private key and a public key. The private key is known only to the principal and the public key can be shared with other entities in the system. The keys can be visualized as a pair of functions Pr and Pu representing the private and public keys, respectively, and having the property M=Pr(Pu(M)) and M=Pu(Pr(M)), where M is the message that is to be secured using the keys. To ensure message integrity, the sender of the message signs the message with his private key, and adds the signature to the message. Upon receiving the message, the recipient can verify the signature of the message using the sender's public key.
- Although the discussion herein pertains to V2V networking, the various broadcast authentication techniques have a much wider application. At an abstract level, the various broadcast authentication techniques discussed herein apply to communication networks where nodes broadcast information to one another in an authentic manner. In these networks, potentially every node is a sender and a receiver. Thus, a given node would broadcast its packets to multiple nodes, and it may also receive packets from multiple, and possibly different, nodes. It is desirable to conserve bandwidth in these types of communication networks. Bandwidth is consumed when the public key is sent ahead of the messages or packets. Additional bandwidth is also consumed when signatures are appended to messages or packets. It is also desirable to conserve the use of the vehicle computer or CPU for verifying received messages. If all nodes send messages at some rate, then a vehicle might receive many more messages as compared to how many it sends. Thus, generally, when computational overhead is referred to, the time taken for key generation and signature generation is ignored, and the process focuses only on the time taken for signature verification.
- Providing security in V2V driver assistance applications amounts to ensuring authenticity and integrity of the messages transmitted over the air. In other words, security in the sense of broadcast authentication. There are a number of challenges in providing security for V2V communications for the aforementioned driver assistance applications. The challenges include (i) resource constrained computing platforms, (ii) real-time latency requirements on the V2V messages, (iii) scarce communication bandwidth, and (iv) possibly rapid changes in the network topology. Such demands require the various algorithms to achieve security to impose minimal computations and communication overheads.
- For the communications networks being discussed herein, the nodes would typically use an authentication protocol to achieve broadcast authenticity of the messages. An authentication protocol between a sender and a receiver enables the sender to send information to the receiver in an authentic manner. The authentication protocol used in the broadcast networks being discussed includes three steps, namely, key generation and public key distribution, signature generation and signature verification. For key generation and public key distribution, the sender executes a key generation algorithm for the authentication protocol and creates the public key, the private key and other variables. The sender then disseminates the public key to the receivers.
- For signature generation, when the sender needs to send an authentic message, the sender creates the message and populates it with the appropriate information, and then uses a signature generation algorithm for the authentication protocol. In the case of digital signature algorithms, one public-private key pair can be used to sign a theoretically unlimited number of messages. In the case of one-time signature algorithms, as the name suggests, one public-private key pair can be used to sign only one message. Thus, in order to sign a message using a one-time signature, the sender needs to use the key generation algorithm and distribute the public key ahead of time. The signature generation algorithm generally uses the hash-and-sign paradigm. This means that the message is first hashed into a constant length string of bits. The hashed version, also called the message digest, is then signed using the signature generation algorithm.
- For signature verification, when a receiver needs to verify the authenticity of a received message, it needs to have in its possession the public key corresponding to the private key that signed the message. Assuming that the receiver does not have the public key, it uses the signature verification algorithm for the authentication protocol. The verification algorithm also first hashes the message to derive the message digest, which is then subject to further verification steps.
- The problem of broadcast authentication has been well-studied in the literature. However, there is no existing scheme that achieves all of the desired properties. For example, digital signatures achieve broadcast authentication with a reasonable communication overhead, such as elliptic curve digital signature algorithm (ECDSA). However, they are computationally quite intensive. One-time signature (OTS) schemes are a computationally efficient alternative, albeit at the expense of increased communication overhead.
- ECDSA is a digital signature algorithm that can be used to sign a theoretically unlimited number of messages with a given public-private key pair. It is very bandwidth efficient since it has a small public key size and signature size. However, it is extremely computational intensive. A single hash operation, which is the building block of one-time signature algorithms, is four-five orders of magnitude quicker to execute on a generic processor as compared to an ECDSA signature generation or verification. For specialized hardware, the difference may even be higher.
- A hash to obtain random subset (HORS) is a one-time signature algorithm that is generally used to sign only one message with a given public-private key pair. It may be used to sign multiple messages, but the security degrades rapidly. HORS is designed to be a fast authentication scheme, so it is extremely efficient computationally since it involves just a few hash operations. However, its bandwidth overhead is quite overwhelming, its signature size is moderate, but its public key size is extremely large, i.e., six-seven orders of magnitude higher than ECDSA.
- The known Winternitz one-time signature scheme can only be used to sign one message for a given public-private key pair. It is designed to be bandwidth efficient, and its signature size is moderate and its public key size is smaller than even ECDSA. Further, its computational overhead is still one-two orders of magnitude smaller than that of ECDSA.
- OTS schemes are typically constructed using the basic building blocks of a one-way hash function. One-way hash functions are functions that are easy to compute, but computationally infeasible to invert. The security of the OTS scheme depends on the security of the underlying one-way hash function. In general, OTS schemes are constructed using the following general methodology. A set of private values (often known as seals) is selected randomly. This serves as the private key. A set of public keys (often known as verifiers) is them computed by applying a one-way hash function on the private keys. The set of public keys is transmitted authentically to all receivers. When signing a message, the message is mapped to a subset of private key values, and that subset is released as a signature. Usually, the one-way hash function that is used in the OTS scheme is public. The receiver performs a sequence of one-way hash function computations that would transform the released signature values into some of the public key values which were authentically communicated earlier. The security of the signature lies in the fact that to forge a signature, the attacker has to perform at least one inversion of the underlying one-way hash function. These steps are shown below.
-
- 1. Select a one-way hash function, say, H: {0,1}*→{0,1}L.
- 2. Randomly choose a set of private values each of length L.
- 3. Generate one or a set of public values applying H(.) on the private values.
- 4. The set of private values act as private/signing key.
- 5. The set of public values act as public/verification key.
- 6. Map the message to be signed to the sub-set of private keys.
- 7. Release the sub-set of private keys obtained in step 6 as a signature.
- In accordance with the teachings of the present invention, a flexible authentication scheme is disclosed that is a combination of a Winternitz one-time signature scheme and a hash to obtain random subset one-time signature scheme to provide consideration for communication and computational overhead. In one embodiment, the flexible authentication scheme provides a matrix that includes rows of private key values and columns of private key values. The scheme performs a key pair generation process that provides a key pair including a private key and a public key for each row in the matrix, where the private key is a set of private key values for that row. Performing the key pair generation process includes applying a plurality of hash functions to the private key values, where a succeeding hash function provides a hash of the previous hash function. The scheme uses a signature generation algorithm that first computes a message digest by applying a hash function on the message to be signed, and then separates the message digest into two parts including signing bits and selection bits. The selection bits select which rows in the matrix are used to sign the message and the signing bits are signed by a signing algorithm using the private key values from the selected row. A receiver verifies the authenticity of the received message using the public key and a signature verification algorithm.
- Additional features of the present invention will become apparent from the following description and appended claims, taken in conjunction with the accompanying drawings.
-
FIG. 1 is a plan view of a vehicle including a vehicle-to-vehicle communications system; -
FIG. 2 is a plan view of a Winternitz one-time signature scheme for authenticating messages; -
FIG. 3 is a plan view of an HORS one-time signature scheme for authenticating messages; -
FIG. 4 is a matrix of private key values; -
FIG. 5 is a plan view of a first flexible authentication scheme for authenticating wireless messages that uses the private key values shown inFIG. 4 and is a combination of the schemes shown inFIGS. 2 and 3 , where every row ofFIG. 4 , a corresponding scheme ofFIG. 5 can be obtained; and -
FIG. 6 is a plan view of a second flexible authentication scheme that is a combination of the schemes shown inFIGS. 2 and 3 . - The following discussion of the embodiments of the invention directed to a flexible authentication scheme for authenticating wireless messages that is a combination of the Winternitz and HORS one-time signature schemes is merely exemplary in nature, and is in no way intended to limit the invention or its applications and uses.
- OTS schemes are an alternative to conventional digital signatures to provide broadcast authentication in V2V systems. OTS schemes published in the literature, namely, the Winternitz and HORS OTS schemes, provide a tradeoff between communication and computational overhead, which is unsatisfactory since a linear reduction of one overhead requires tolerating an exponential increase in the other one. Two flexible authentication schemes are proposed below that provide a better tradeoff between these two overheads, specifically providing an exponential reduction of one of the overheads in return for an exponential increase in the other.
-
FIG. 1 illustrates a plan view of avehicle 10 including an on-board unit (OBU) 12 for a V2X wireless communications system. TheOBU 12 receives location information from aGPS receiver 14, and is able to communicate with other OBUs on other vehicles within a limited range. Thevehicle 10 also includes various types ofvehicle sensors 16, such as cameras, accelerometers, temperature sensors, etc., that provide information to theOBU 12. The vehicle sensor information can be used by theOBU 12 to notify other vehicles of various road and other conditions, such as ice, oil spills, etc. -
FIG. 2 is a plan view of a knownWinternitz OTS scheme 20. Thescheme 20 includes a series of private key values 22 represented here as s0, s1, . . . , s1, - - - , sn. The set of private key values 22 is a private key S. A series of hash functions 24, 26 and 28 are applied to the private key values 22, shown here as hash function H, hash function Hp and hash function H2, respectively, that are provided according to some predetermined and predefined rules. The results of thefinal hash function 28 are concatenated together to arrive at averifier 30, represented as v, which is a public key V that has previously been disseminated to the vehicles. In this example, each of the private key values 22 are hashed H2k times. -
Algorithm 1 below is a key generation and public key distribution algorithm for the authentication protocol that shows how the private and public key pair S and V is generated for the private key S and the public key V using the hash functions shown inFIG. 2 , where S is the set of private key values 22 and v is theverifier 30.Algorithm 2 below is a signature generation algorithm for the authentication protocol that shows how the Winternitz OTS scheme provides signature generation using the hashed version or message digest. Algorithm 3 below is a signature verification algorithm for the authentication protocol that shows how the receiving vehicle provides signature verification of the signature on the message M after it has the signature σM and the verifier v using the hash functions H. -
Algorithm 1, Winternitz Key Pair Generation: -
- Input: hash function H:{0,1}*→{0,1}L, block parameter k and n=L/k
- Output: signature key S, verification key V
- 1: Choose n and k such that L=n·k
- 2: Choose s0, s1, . . . , sn εR {0,1}L uniformly at random, i.e., choose n+1 random variable of length L
- 3: Set S={s0, s1, . . . , sn}
- 4: Compute yi=H2
k (si) for i=1, 2, . . . n - 5: Compute z=Hn·2
k (s0) - 6: Compute V=H(y1∥y2∥ . . . ∥yn∥z), where ∥ denotes concatenation
- 7: Private key: =S, Public key: =V
- 8: return (S,V)
-
Algorithm 2, Winternitz Signature Generation: -
- Input: hash function H:{0,1}*→{0,1}L, block parameter k and n=L/k, Message M, signature key S
- Output: One time signature σM on M
- 1: Compute H(M) from M
- 2: Break H(M) in ‘n’, k-bit words b1, b2, . . . , bn
- 3: Compute b0=Σi=1 nbi
- 4: The signature of M is σM=[Hb
1 (s1)∥Hb2 (s2)∥ . . . ∥Hbn (sn)∥Hn·2k-b 0(s0)]
- Algorithm 3, Winternitz Signature Verification:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter k and n=L/k, Message M, signature σM, verification key V
- Output: TRUE if the signature is valid, FALSE otherwise
- 1: Compute b1, b2, . . . , bn, b0 as in
Algorithm 2 - 2: Denote the σM received as composed of ĥ1∥ĥ2∥ . . . ∥ĥn∥ĥ0
- 3: Compute xi=H2
k-b i(ĥi) for i=1, 2, . . . , n - 4: Compute w=Hb
0 (ĥ0) - 5: Compute V′=H(x1∥x2∥ . . . ∥xn∥w)
- 6: If V′=V then return TRUE, else return FALSE
- 1: Compute b1, b2, . . . , bn, b0 as in
-
FIG. 3 is a plan view of a known HORS OTS scheme 40 for providing message verification. The scheme 40 includes a series of private key values 42, represented as s0, . . . , sm, . . . , s2j+1 , and a row of hash functions 44, represented as H, for each private key value 42. The hash functions 44 generate a series of public key values 46, represented as verifiers v. The set of private key values 42 is the private key S and the set of public key values 46 is the public key V. - Algorithm 4 below is a generation and public key distribution algorithm for the authentication protocol that shows how the private and public key pair S and V is generated for the private key S and the public key V using the hash function H. Algorithm 5 below is a signature generation algorithm for the authentication protocol that shows how the HORS OTS scheme provides signature generation using the hash version or message digest. Algorithm 6 below is a signature verification algorithm for the authentication protocol that shows how the receiving vehicle provides signature verification of the signature on the message M after it has the signature σM and the public key V using the hash function H.
- Algorithm 4, HORS Key Pair Generation:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter j and n=L/j
- Output: signature key S, verification key P
- 1: Choose n and j such that L=n·j
- 2: Choose s0, s1, . . . , s2
j−1 εR {0,1}L uniformly at random, i.e. choose 2j random variables of length L - 3: Set S={s0, s1, . . . , s2
j−1 } - 4: Compute pi=H(si) for i=0, 1, . . . 2j−1
- 5: Set P={p0, p1, . . . , p2
j−1 } - 6: Private key: =S, Public key: =P
- 7: return (S,P)
- Algorithm 5, HORS Signature Generation:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter j and n=L/j, Message M, signature key S
- Output: One time signature HORS(M) on M
- 1: Compute H(M) from M
- 2: Break H(M) in ‘n’, j-bit words b1, b2, . . . , bn
- 3: Interpret each bi as integers between 0 to 2j−1
- 4: Signature of M is HORS(M)=sb
1 ∥sb2 ∥ . . . ∥sbn - 5: return HORS(M)
- Algorithm 6, HORS Signature Verification:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter j and n=L/j, Message M, signature key HORS (M), verification key P
- Output: TRUE if the signature is valid, FALSE otherwise
- 1: Compute b1, b2, . . . , bn as in Algorithm 5
- 2: Interpret each bi as integer between 0 to 2j−1
- 3: return TRUE if for each i=1, . . . , n, H(si)=pi, else return FALSE
- In this way, by the Winternitz OTS scheme employs a signature verification using a relatively few number of private key values 22, but a large number of hash functions 24, 26 and 28, and the HORS OTS scheme employs a signature verification using a relatively large number of private key values 42, but a single hash function 44.
- The communication and computational overhead associated with the Winternitz OTS scheme and the HORS OTS scheme are shown in Table 1 below. The communication overhead is the additional number of bits b that need to be transmitted for every message M that is secured using the OTS scheme. For every message M to be signed, the corresponding public key V has to be distributed ahead of time, and the signature σ has to be appended to the message M. Thus, the communication overhead is the sum of the public key size (in bits) and the signature size (in bits). The computational overhead is the number of hash function computations required to verify the OTS. The security level is the hardness of breaking the OTS in terms of the key length (in bits) of an equally hard symmetric key cipher.
-
TABLE 1 OTS Communication Computation Scheme Cost Cost Security Winternitz (n + 2)L n2k + 1 L − 1 HORS (n + 2j)L n L − n log2 n - The following discussion describes two flexible authentication schemes, namely FAS-I and FAS-II, that employ a combination of the Winternitz OTS scheme and the HORS OTS scheme discussed above. The flexible authentication schemes provide a tradeoff between the communication and computational overheads. Thus, for the Winternitz OTS scheme, the amount of public information that needs to be disseminated and the number of private key values that need to be stored is low, but the computational power that is required for the several layers of the hash functions is high. However, for the HORS OTS scheme, the amount of public information that needs to be disseminated and the number of private key values that need to be stored is high, but the computational overhead is low. The level of security that is desired would depend on how much hashing is done in the Winternitz scheme and how many private key values and verifiers are needed in the HORS OTS scheme. In other words, for the Winternitz OTS scheme, L=nk, and the communication overhead is linear in l and the computational overhead is exponential in k. Thus, an exponential increase in the computational overhead would have to be tolerated in order to gain a linear decrease in the communication overhead. For the HORS OTS scheme, again L=nj, and while the computational overhead is just n, the communication overhead is exponential in j.
- The two flexible authentication schemes discussed below provide a better tradeoff between the two dimensions of overhead. In both of the flexible authentication schemes (FAS) that are discussed, the idea is to use some bits of the hash of the message to choose a random subset (a là HORS) and the other bits to select hash values derived from those subsets (a là Winternitz).
-
FIG. 4 is amatrix 50 of random private key values 52, or seals, chosen to form the private key S. Particularly, each row in thematrix 50 represents a series of private key values for a Winternitz OTS scheme and each column in thematrix 50 represents a series of private key values for a HORS OTS scheme. -
FIG. 5 is a plan view of the FAS-I OTS scheme that includes a series of private key values 62, represented as sm 0, sm 1, . . . , sm l, . . . , sm n1 for the third row of private key values 52 shown inFIG. 4 . A separate OTS scheme would be provided for each row of the private key values 52 for thematrix 50. TheOTS scheme 60 provides threehash functions k , where thehash function 68 for all of the private key values 62 that have been hashed by the hash functions 64 and 66 are concatenated into averifier 70, represented as vm. Thus, each row in thematrix 50 provides a separate verifier bm. - On each row in the
matrix 50, a Winternitz key pair generation algorithm is run to generate the public key V for that row. The set of private key values 52 from each row constitutes the private keys S. To sign a message M, the hashed version of the message M is broken into two parts, namely signing bits and selection bits. The selection bits select which rows will be used to sign the message M and the signing bits are signed by the Winternitz signing algorithm using the values from that row. - Algorithm 7 below is a key generation and public key distribution algorithm for the authentication protocol that shows how the FAS-I OTS scheme generates the key pair S and V, including generation of the
matrix 50. Algorithm 8 below is a signature generation algorithm for the authentication protocol that shows how the FAS-I OTS scheme provides the signature generation using the hash version or message digest. Algorithm 9 below is a signature verification algorithm for the authentication protocol that shows how the FAS-I OTS scheme provides signature verification in the receiving vehicle. - Algorithm 7, FAS-I Key Pair Generation:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter n, n1, k and j
- Output: signature key S, verification key V
- 1: Choose n, n1, k and j such that L=n·n1·k+n·j
- 2: Choose s0 0, s0 1, . . . , s0 n
1 , . . . , sm 0, sm 1, . . . , sm n1 , . . . , s2j−1 0, s2j−1 1, . . . , s2j−1 n1 εR {0,1}L uniformly at random i.e. choose (n1+1)2j random variables of length L - 3: Set S={s0 0, s0 1, . . . , s0 n
1 , . . . , sm 0, sm 1, . . . , sm n1 , . . . , s2j−1 0, s2j−1 1, . . . , s2j−1 n1 } - 4: For each m ε{0:2j−1} apply Winternitz key pair generation (Algorithm 1) for sm 0, sm 1, . . . , sm n
1 - 5: Denote public value of each m-th Winternitz structure as vm
- 6: Set V={v0, v1, . . . , vm, . . . , v2
j−1 }, where ∥ denotes concatenation - 7: Private key: =S, Public key: =V
- 8: return (S,V)
- Algorithm 8, FAS-I OTS Signature Generation:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter n, n1, k and j, Message M, signature key S
- Output: One time signature σM on M
- 1: Compute H(M) from M
- 2: Break H(M) in ‘n’, k-bit words and ‘n’ j bit words
- 3: ‘n’ n1k bits words are used for signing. They are denoted as b1 1, b2 1, . . . , bn
1 1, b1 2, b2 2, . . . , bn1 2, . . . , b1 n, b2 n, . . . , bn1 n - 4: ‘n’ j bit words represent n indices in {1:2j} are used for selection. They are denoted as m1, m2, . . . , mn
- 5: Compute b0 i=Σl=1 n
1 bl i for each i ε{1:n} - 6: For each mi sign (b0 i, b1 i, . . . , bn
1 i) using Winternitz signature (Algorithm 2) to generate σm i - 7: The signature of M is σM=[σm
i ∥σmi ∥ . . . ∥σmn ]
- 8: return σM
- Algorithm 9 FAS-I OTS Signature Verification:
-
- Input: hash function H:{0,1}*→{0,1}L, block parameter n, n1, k and j, Message M, signature σM, verification key V
- Output: TRUE if the signature is valid, FALSE otherwise
- 1: Compute (b1 1, b2 1, . . . , bn
1 1, b1 2, b2 2, . . . , bn1 2, . . . , b1 n, b2 n, . . . , bn1 n) and (m1, m2, . . . , mn) as in Algorithm 8 - 2: Verify each vm using Winternitz verification (Algorithm 3)
- 3: If Algorithm 3 returns true for each vm then return TRUE, else return FALSE
- 1: Compute (b1 1, b2 1, . . . , bn
-
FIG. 6 is a plan view of an FAS-II OTS scheme 80 including a set of private key values 82, represented as sc, s0, . . . , sm, . . . , s2j−1 and a series of hash functions 84, 86 and 88, represented as H, HP and H2k , respectively, where the results of thehash function 88 is a series ofverifiers 90, represented as bc, b0, bn and b2j−1 . A first set of random seals are chosen as the private key values 82 and a Winternitz like hash chains are built. The public key V consists of the final values of all the hash chains rather than the hash of their concatenation. To sign a message, the hashed version of the message M is broken into two parts, namely signing bits and selection bits. The selection bits select which of the private key values 82 will be used for signing and the signing bits are signed by an analogous process to the Winternitz signing algorithm. -
Algorithm 10 below is a key generation and public key distribution algorithm for the authentication protocol that shows a process for generating the private and public key pair S and V in the FAS-II OTS scheme.Algorithm 11 below is a signature generation algorithm for the authentication protocol that shows a process for the signature generation for the FAS-II OTS scheme using the hash version or message digest.Algorithm 12 below is a signature verification algorithm for the authentication protocol that shows a process of how the signatures are verified in the receiver for the FAS-II OTS scheme. -
Algorithm 10, FAS-II OTS Scheme Key Pair Generation: -
- Input: hash function H:{0,1}*→{0,1}L, block parameter n, k1 and k2
- Output: signature key S, verification key V
- 1: Choose n, k1, k2 and j such that L=n(k+j)
- 2: Choose s0, s1, . . . , s2
j−1 , sc εR {0,1}L uniformly at random, i.e. choose (2j+1) random variables of length L - 3: Set S={s0, s1, . . . , s2
j−1 , sc} - 4: Compute yi=H2
k (si) for i=0, 1, 2, . . . , 2j−1 - 5: Compute z=Hn·2
k (sc) - 6: Set V={y1∥y2∥ . . . ∥y2
j−1 ∥z} where ∥ denotes concatenation - 7: Private key: =S, Public key: =V
- 8: return (S,V)
-
Algorithm 11, FAS-II OTS Scheme Signature Generation: -
- Input: hash function H:{0,1}*→{0,1}L, block parameter n, k and j, such that L=n(k+j), Message M, signature key S
- Output: One time signature of σM on M
- 1: Compute H(M) from M
- 2: Break H(M) in n, k-bit words and n, j-bit words
- 3: n, k-bit words are used for signing. They are denoted as b1 1, b2 1, . . . , bn 1.
- 4: n, j-bit words are used for selection. They are denoted as b1 2, b2 1, . . . , bn 2
- 5: Compute b0=Σi=l nbi 1
- 6: The signature of M is σM=[Hb
1 1(sb1 2)∥Hb2 1(sb2 2)∥ . . . ∥Hbn 1(sbn 2)∥Hn·2k−b 0(sc)] - 7: return σM
-
Algorithm 12, FAS-II OTS Scheme Signature Verification: -
- Input: hash function H:{0,1}*→{0,1}L, block parameter n, k and j, such that L=n(k+j), Message M, signature σM, verification key V
- Output: TRUE if the signature is valid, FALSE otherwise
- 1: Compute b1 1, b2 1, . . . , bn
1 1, b1 2, b2 2, . . . , bn 2 as inAlgorithm 11 - 2: Denote the σM received as composed of hb
1 2 ∥ĥb2 2 ∥ . . . ∥ĥbn 2 ∥ĥc - 3: Compute xi=H2
k -bi 1 (ĥbi 2 ) for i=1, 2, . . . , n - 4: Compute w=Hb
0 (ĥc) - 5: If yb
i 2 =xi for each i=1, . . . , n and w=z, then return TRUE, else return FALSE
- 1: Compute b1 1, b2 1, . . . , bn
- The overhead associated with the FAS-I and FAS-II OTS schemes are shown in Table 2 below. The communication cost is given in terms of the number of bits. The computational cost is the verification time, and is given in terms of the number of hash operations required. The security level is given in number of bits. The security analysis used to derive the entries in the table is given below.
-
TABLE 2 OTS Communication Computation Scheme Cost Cost Security FAS-I (n(n1 + 1) + 2j)L n( n 12k + 1)L − n log2 n FAS-II (n + 2j + 2)L n2k + 1 L − n log2 n - The security analysis of the FAS-I and FAS-II OTS schemes is analogous to that of the HORS OTS scheme. The OTS scheme interest is in the probability that, after applying the hash unction H on a single message M, the advisory is able to forge a signature on the message M without inverting the one-way hash function H.
- In the FAS-I scheme, the hash of the message M to be signed is broken up into ‘n’ j-bit words, which are used for selecting n out of 2j rows and k-bit words, which are used to create a Winternitz OTS scheme on each of the n chosen rows. Thus, given a message M that hashes to m and its signature σ, forgoing a signature would require the attacker to find another message M′ that hashes to m′ such that its former n·n1·k bits are identical to that of m, and that its latter n·j bits or ‘n’ j-bit words are some permutation of a subset of the latter ‘n’ j-bit works of m. Assuming a random oracle model for the hash function, the probability of this event is
-
- which is nothing but
-
- In the FAS-II scheme, the hash of the message M is broken up into ‘n’ words of length k+j. For each word, the last j bits are used to select a column. Thus, n columns are selected, and then the former k bits of all the n words are signed using the Winternitz signing algorithm. Thus, foregoing a signature would require the attacker to find another message M′ that hashes to m′ such that when broken up into ‘n’ words of length k+j, it would be a permutation of a subset of the ‘n’ words of length k+j of m. The probability of this event (again, assuming that H is random oracle) is a
-
- which is nothing but
-
- Therefore, the security of FAS-I and FAS-II is L−n log2 n bits.
- The foregoing discussion discloses and describes merely exemplary embodiments of the present invention. One skilled in the art will readily recognize from such discussion and from the accompanying drawings and claims that various changes, modifications and variations can be made therein without departing from the spirit and scope of the invention as defined in the following claims.
Claims (20)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/561,013 US8452969B2 (en) | 2009-09-16 | 2009-09-16 | Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads |
DE112010003661.6T DE112010003661B9 (en) | 2009-09-16 | 2010-08-26 | Flexible Broadcast Authentication in Resource-constrained Systems: Provide a compromise between communication overhead and computational effort |
PCT/US2010/046738 WO2011034703A2 (en) | 2009-09-16 | 2010-08-26 | Flexible broadcast authentication in resource-constrained systems: providing a trade-off between communication and computational overheads |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/561,013 US8452969B2 (en) | 2009-09-16 | 2009-09-16 | Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads |
Publications (2)
Publication Number | Publication Date |
---|---|
US20110066859A1 true US20110066859A1 (en) | 2011-03-17 |
US8452969B2 US8452969B2 (en) | 2013-05-28 |
Family
ID=43731625
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/561,013 Active 2032-01-23 US8452969B2 (en) | 2009-09-16 | 2009-09-16 | Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads |
Country Status (3)
Country | Link |
---|---|
US (1) | US8452969B2 (en) |
DE (1) | DE112010003661B9 (en) |
WO (1) | WO2011034703A2 (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110304425A1 (en) * | 2010-06-09 | 2011-12-15 | Gm Global Technology Operations, Inc | Systems and Methods for Efficient Authentication |
US20120311340A1 (en) * | 2010-02-24 | 2012-12-06 | Renesas Electronics Corporation | Wireless communications device and authentication processing method |
TWI484812B (en) * | 2011-12-01 | 2015-05-11 | Htc Corp | System and method for data authentication among processors |
US20160164682A1 (en) * | 2014-12-04 | 2016-06-09 | Fujitsu Limited | Privacy preserving set-based biometric authentication |
US9438590B2 (en) * | 2014-05-23 | 2016-09-06 | Fujitsu Limited | Privacy preserving biometric authentication based on error correcting codes |
US20170054618A1 (en) * | 2015-08-21 | 2017-02-23 | Barefoot Networks, Inc. | Fast detection and identification of lost packets |
WO2018063622A1 (en) * | 2016-09-27 | 2018-04-05 | Intel Corporation | Hash-based signature balancing |
CN108462948A (en) * | 2017-01-05 | 2018-08-28 | 大众汽车有限公司 | Method, apparatus for vehicle-to-vehicle communication and the computer readable storage medium including instruction |
CN109478278A (en) * | 2016-07-05 | 2019-03-15 | 区块链控股有限公司 | Control method and system for controlling blockchain implementation of external process or system |
US10491405B2 (en) | 2016-10-04 | 2019-11-26 | Denso International America, Inc. | Cryptographic security verification of incoming messages |
US20200213340A1 (en) * | 2017-08-03 | 2020-07-02 | Sumitomo Electric Industries, Ltd. | Detector, detection method and detection program |
US20240039734A1 (en) * | 2021-03-31 | 2024-02-01 | Siemens Aktiengesellschaft | Signing system for validating stateful hash-based digital signatures |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9532194B2 (en) | 2014-05-09 | 2016-12-27 | Cisco Technology, Inc. | Dynamic adjustment of wireless communication transmission rates |
US9215228B1 (en) | 2014-06-17 | 2015-12-15 | Cisco Technology, Inc. | Authentication of devices having unequal capabilities |
US9380044B2 (en) | 2014-09-10 | 2016-06-28 | Cisco Technology, Inc. | Supporting differentiated secure communications among heterogeneous electronic devices |
CN105577379B (en) * | 2014-10-16 | 2020-04-28 | 阿里巴巴集团控股有限公司 | Information processing method and device |
DE102015220224A1 (en) * | 2015-10-16 | 2017-04-20 | Volkswagen Aktiengesellschaft | Method for protected communication of a vehicle |
JP6860656B2 (en) * | 2016-05-18 | 2021-04-21 | オキーフェ, ジェームスO’KEEFEE, James | Dynamic stead LIDAR adapted to the shape of the vehicle |
WO2018044958A1 (en) | 2016-08-29 | 2018-03-08 | Okeeffe James | Laser range finder with smart safety-conscious laser intensity |
US10408940B2 (en) | 2016-09-25 | 2019-09-10 | James Thomas O'Keeffe | Remote lidar with coherent fiber optic image bundle |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4881264A (en) * | 1987-07-30 | 1989-11-14 | Merkle Ralph C | Digital signature system and method based on a conventional encryption function |
US20040062390A1 (en) * | 2002-09-30 | 2004-04-01 | Micron Technology, Inc. | Public key cryptography using matrices |
US20070174626A1 (en) * | 2005-03-05 | 2007-07-26 | Samsung Electronics Co., Ltd. | Method and apparatus for generating and validating digital signature |
US20080181413A1 (en) * | 2007-01-25 | 2008-07-31 | Samsung Electronics Co., Ltd. | Method and node for generating distributed rivest shamir adleman signature in ad-hoc network |
US20080282089A1 (en) * | 2005-04-18 | 2008-11-13 | Yuichi Futa | Signature Generation Apparatus and Signature Verification Apparatus |
US20100086132A1 (en) * | 2007-01-26 | 2010-04-08 | Thales | Data encoding method |
-
2009
- 2009-09-16 US US12/561,013 patent/US8452969B2/en active Active
-
2010
- 2010-08-26 DE DE112010003661.6T patent/DE112010003661B9/en active Active
- 2010-08-26 WO PCT/US2010/046738 patent/WO2011034703A2/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4881264A (en) * | 1987-07-30 | 1989-11-14 | Merkle Ralph C | Digital signature system and method based on a conventional encryption function |
US20040062390A1 (en) * | 2002-09-30 | 2004-04-01 | Micron Technology, Inc. | Public key cryptography using matrices |
US20070174626A1 (en) * | 2005-03-05 | 2007-07-26 | Samsung Electronics Co., Ltd. | Method and apparatus for generating and validating digital signature |
US20080282089A1 (en) * | 2005-04-18 | 2008-11-13 | Yuichi Futa | Signature Generation Apparatus and Signature Verification Apparatus |
US20080181413A1 (en) * | 2007-01-25 | 2008-07-31 | Samsung Electronics Co., Ltd. | Method and node for generating distributed rivest shamir adleman signature in ad-hoc network |
US20100086132A1 (en) * | 2007-01-26 | 2010-04-08 | Thales | Data encoding method |
Non-Patent Citations (4)
Title |
---|
Adrian Perrig. 2001. The BiBa one-time signature and broadcast authentication protocol. In Proceedings of the 8th ACM conference on Computer and Communications Security (CCS '01), Pierangela Samarati (Ed.). ACM, New York, NY, USA, 28-37. * |
Buchmann, Johannes; García, Luis; Dahmen, Erik; Döring, Martin; Klintsevich, Elena; "CMSS - An Improved Merkle Signature Scheme," Progress in Cryptology - INDOCRYPT 2006, Lecture Notes in Computer Science, Springer Berlin / Heidelberg, 978-3-540-49767-7, pages 349-363. * |
Dalit Naor; Shenhav, A.; Wool, A.; , "One-Time Signatures Revisited: Practical Fast Signatures Using Fractal Merkle Tree Traversal," Electrical and Electronics Engineers in Israel, 2006 IEEE 24th Convention of , vol., no., pp.255-259, 15-17 Nov. 2006. * |
Qiyan Wang; Khurana, H.; Ying Huang; Nahrstedt, K.; , "Time Valid One-Time Signature for Time-Critical Multicast Data Authentication," INFOCOM 2009, IEEE , vol., no., pp.1233-1241, 19-25 April 2009. * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120311340A1 (en) * | 2010-02-24 | 2012-12-06 | Renesas Electronics Corporation | Wireless communications device and authentication processing method |
US9432197B2 (en) * | 2010-02-24 | 2016-08-30 | Renesas Electronics Corporation | Wireless communications device and authentication processing method |
US8593253B2 (en) * | 2010-06-09 | 2013-11-26 | Gm Global Technology Operations, Inc. | Systems and methods for efficient authentication |
US20110304425A1 (en) * | 2010-06-09 | 2011-12-15 | Gm Global Technology Operations, Inc | Systems and Methods for Efficient Authentication |
TWI484812B (en) * | 2011-12-01 | 2015-05-11 | Htc Corp | System and method for data authentication among processors |
US9054874B2 (en) | 2011-12-01 | 2015-06-09 | Htc Corporation | System and method for data authentication among processors |
US9240889B2 (en) | 2011-12-01 | 2016-01-19 | Htc Corporation | Method and system for secure data access among two devices |
US9270466B2 (en) | 2011-12-01 | 2016-02-23 | Htc Corporation | System and method for temporary secure boot of an electronic device |
US9438590B2 (en) * | 2014-05-23 | 2016-09-06 | Fujitsu Limited | Privacy preserving biometric authentication based on error correcting codes |
US9967101B2 (en) * | 2014-12-04 | 2018-05-08 | Fujitsu Limited | Privacy preserving set-based biometric authentication |
US20160164682A1 (en) * | 2014-12-04 | 2016-06-09 | Fujitsu Limited | Privacy preserving set-based biometric authentication |
US20170054618A1 (en) * | 2015-08-21 | 2017-02-23 | Barefoot Networks, Inc. | Fast detection and identification of lost packets |
US10110454B2 (en) * | 2015-08-21 | 2018-10-23 | Barefoot Networks, Inc. | Fast detection and identification of lost packets |
CN109478278A (en) * | 2016-07-05 | 2019-03-15 | 区块链控股有限公司 | Control method and system for controlling blockchain implementation of external process or system |
WO2018063622A1 (en) * | 2016-09-27 | 2018-04-05 | Intel Corporation | Hash-based signature balancing |
US10313130B2 (en) | 2016-09-27 | 2019-06-04 | Intel Corporation | Hash-based signature balancing |
US10491405B2 (en) | 2016-10-04 | 2019-11-26 | Denso International America, Inc. | Cryptographic security verification of incoming messages |
CN108462948A (en) * | 2017-01-05 | 2018-08-28 | 大众汽车有限公司 | Method, apparatus for vehicle-to-vehicle communication and the computer readable storage medium including instruction |
US10693831B2 (en) | 2017-01-05 | 2020-06-23 | Volkswagen Ag | Method, apparatus, and computer readable storage medium comprising instructions for vehicle-to-vehicle communication |
US20200213340A1 (en) * | 2017-08-03 | 2020-07-02 | Sumitomo Electric Industries, Ltd. | Detector, detection method and detection program |
US20240039734A1 (en) * | 2021-03-31 | 2024-02-01 | Siemens Aktiengesellschaft | Signing system for validating stateful hash-based digital signatures |
Also Published As
Publication number | Publication date |
---|---|
US8452969B2 (en) | 2013-05-28 |
DE112010003661B4 (en) | 2015-08-27 |
DE112010003661T5 (en) | 2012-10-18 |
DE112010003661B9 (en) | 2015-11-12 |
WO2011034703A3 (en) | 2011-06-16 |
WO2011034703A2 (en) | 2011-03-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8452969B2 (en) | Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads | |
US11323249B2 (en) | Cryptographic methods and systems for authentication in connected vehicle systems and for other uses | |
Kamil et al. | An improved certificateless aggregate signature scheme without bilinear pairings for vehicular ad hoc networks | |
Lo et al. | An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks without pairings | |
Wang et al. | SEMA: Secure and efficient message authentication protocol for VANETs | |
US7934095B2 (en) | Method for exchanging messages and verifying the authenticity of the messages in an ad hoc network | |
Ying et al. | Privacy preserving broadcast message authentication protocol for VANETs | |
Wagan et al. | VANET security framework for trusted grouping using TPM hardware | |
Al-Shareeda et al. | LSWBVM: A lightweight security without using batch verification method scheme for a vehicle ad hoc network | |
Mukherjee et al. | An efficient and batch verifiable conditional privacy-preserving authentication scheme for VANETs using lattice | |
EP2003813A1 (en) | Method and Apparatus for Authentication | |
Bayat et al. | A new and efficient authentication scheme for vehicular ad hoc networks | |
Zhang et al. | APPA: Aggregate privacy-preserving authentication in vehicular ad hoc networks | |
CN107040516B (en) | Efficient pseudonym management and data integrity protection protocol | |
Bansal et al. | ID-CEPPA: Identity-based Computationally Efficient Privacy-Preserving Authentication scheme for vehicle-to-vehicle communications | |
Fan et al. | Strongly privacy-preserving communication protocol for VANETs | |
Gong et al. | PCAS: Cryptanalysis and improvement of pairing-free certificateless aggregate signature scheme with conditional privacy-preserving for VANETs | |
Rajkumar et al. | An elliptic curve cryptography based certificate-less signature aggregation scheme for efficient authentication in vehicular ad hoc networks | |
Kushwah et al. | ECDSA for data origin authentication and vehicle security in VANET | |
Maurya et al. | Efficient anonymous batch authentication scheme with conditional privacy in the Internet of Vehicles (IoV) applications | |
Rabadi | Implicit certificates support in IEEE 1609 security services for wireless access in vehicular environment (WAVE) | |
Zhang et al. | Privacy-preserving authentication based on short group signature in vehicular networks | |
CN110493748B (en) | Fog-based road condition detection and authentication method | |
Wei et al. | On a group signature scheme supporting batch verification for vehicular networks | |
CN108965313B (en) | Vehicle violation information publishing method, system and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS, INC., MICHIGAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:IYER, ARAVIND V.;BHATTACHARYA, DEBOJYOTI;REEL/FRAME:023242/0926 Effective date: 20090916 |
|
AS | Assignment |
Owner name: UAW RETIREE MEDICAL BENEFITS TRUST, MICHIGAN Free format text: SECURITY AGREEMENT;ASSIGNOR:GM GLOBAL TECHNOLOGY OPERATIONS, INC.;REEL/FRAME:023990/0001 Effective date: 20090710 Owner name: UNITED STATES DEPARTMENT OF THE TREASURY, DISTRICT Free format text: SECURITY AGREEMENT;ASSIGNOR:GM GLOBAL TECHNOLOGY OPERATIONS, INC.;REEL/FRAME:023989/0155 Effective date: 20090710 |
|
AS | Assignment |
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS, INC., MICHIGAN Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:UNITED STATES DEPARTMENT OF THE TREASURY;REEL/FRAME:025246/0234 Effective date: 20100420 |
|
AS | Assignment |
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS, INC., MICHIGAN Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:UAW RETIREE MEDICAL BENEFITS TRUST;REEL/FRAME:025315/0091 Effective date: 20101026 |
|
AS | Assignment |
Owner name: WILMINGTON TRUST COMPANY, DELAWARE Free format text: SECURITY AGREEMENT;ASSIGNOR:GM GLOBAL TECHNOLOGY OPERATIONS, INC.;REEL/FRAME:025324/0555 Effective date: 20101027 |
|
AS | Assignment |
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS LLC, MICHIGAN Free format text: CHANGE OF NAME;ASSIGNOR:GM GLOBAL TECHNOLOGY OPERATIONS, INC.;REEL/FRAME:025781/0299 Effective date: 20101202 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS LLC, MICHIGAN Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WILMINGTON TRUST COMPANY;REEL/FRAME:034185/0789 Effective date: 20141017 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |